The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that while the overall number of breaches declined from 2008, about 85 percent of breaches could have been avoided if basic security measures had been followed.

The study, released Wednesday, analyzed more than 900 breaches involving more than 900 million compromised records. The findings showed that the electronic breaches from 2009 involved more insider threats, a greater use of social engineering and the continuing involvement of organized criminal groups.

Wade Baker, the Director of Risk Intelligence at Verizon, says, “It’s not a good statement of our general preparedness in the industry – we’ve got a lot of work to do.”

Advertisement

While Verizon and other telecommunications companies are good at getting projects done, says Baker, the industry just isn’t great when it comes to upkeep maintenance and quality management.

“It’s a real struggle, and for many good and legitimate reasons,” says Baker. “It’s not ineptitude or a matter of people not caring – it’s a challenge.”

According to the report, many of the breaches fall into the category of inconsistent configuration and maintenance over time. Often, users and companies do not follow Verizon’s recommendations to change the defaulted usernames and passwords on purchased technology.

Additionally, instances of social engineering have increased where criminal groups use people to call up users and ask for their passwords, rather than hacking or using technology to infiltrate network systems.

“Maybe the simple hacking technique doesn’t work. So, what do you do next if you can’t exploit systems and technology? You start exploiting people,” says Baker.

The report concluded that the best defense against security breaches is being prepared. For the most part, organizations still remain slow in discovering and responding to incidents.

Sixty percent of breaches continue to be discovered by third parties, and then only after a considerable amount of time – often months. Usually, it’s the credit card company or a law enforcement agency that alerts Verizon and others of possible breaches based on fraud patterns or underground chatter.

And while most victimized organizations have at least some evidence of a breach in their security logs, the evidence often gets overlooked due to a lack of staff, tools or processes.

“Clearly, there is some opportunity for improvement there,” says Baker.

He says one area of improvement is patch management, when a breach is detected and subsequently fixed.

Baker says he would love to see organizations take a little more time deploying patches consistently and effectively across the organization.